@semalt-ai/code 1.7.0 → 1.8.1

package/.claude/settings.local.json

@@ -0,0 +1,8 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(grep -oP '.{0,120}chat:stash.{0,120}' /usr/local/lib/node_modules/@anthropic-ai/claude-code/cli.js)",
+      "Bash(grep -oP '.{0,100}externalEditor.{0,100}' /usr/local/lib/node_modules/@anthropic-ai/claude-code/cli.js)"
+    ]
+  }
+}

package/ARCHITECTURE.md

@@ -0,0 +1,99 @@
+# semalt-code — Architecture Reference
+
+## lib/ File Responsibilities
+
+| File | Responsibility |
+|------|----------------|
+| `lib/agent.js` | Agent loop: iterates up to 10 times, streams LLM response, extracts tool calls, dispatches execution, accumulates results back into the message history |
+| `lib/api.js` | HTTP client for both OpenAI-compatible inference (`chatStream`, `chatSync`) and dashboard REST calls (auth, models, chat history); manually parses `text/event-stream` |
+| `lib/args.js` | CLI argument parser; maps flags (`-m`, `-f`, `--dry-run`, …) to an `opts` object and collects positional args |
+| `lib/commands.js` | All top-level command handlers: `cmdChat`, `cmdCode`, `cmdEdit`, `cmdShell`, `cmdLogin`, `cmdLogout`, `cmdWhoAmI`, `cmdModels`, `cmdInit` |
+| `lib/config.js` | Read/write `~/.semalt-ai/config.json`; `normalizeConfig` merges defaults, migrates legacy keys, validates types |
+| `lib/constants.js` | `DEFAULT_CONFIG`, `DEFAULT_API_TIMEOUT_MS`, `CONFIG_PATH`, `PACKAGE_JSON` |
+| `lib/context.js` | Loads file or directory trees into a prompt context string; caps directory walks at 50 files, single files at 10 000 chars |
+| `lib/permissions.js` | Per-session approval tracking; interactive yes/always/no prompt before each tool action; `toggleAll` for `/approve` |
+| `lib/prompts.js` | Returns the system prompt string that instructs the LLM which XML tool tags to use and how |
+| `lib/tools.js` | Implements `agentExecShell` and `agentExecFile` (16 file/env/network actions) plus `extractToolCalls` regex parser |
+| `lib/ui.js` | All terminal rendering: ANSI constants, `StreamRenderer` (markdown + tool-call display + inline diff), `readInteractiveInput`, `interactiveSelect`, `printBanner`, `printStatusBar` |
+
+---
+
+## Agent Loop Flow
+
+1. `runAgentLoop(messages, model)` is called with the current message array (max 10 iterations).
+2. `chatStream(messages, { model })` sends the array to the LLM and streams tokens through `StreamRenderer` to the terminal.
+3. The full assistant text is appended to `messages` as `{ role: 'assistant', content }`.
+4. `extractToolCalls(reply)` scans the text for XML tool tags and fenced shell blocks; returns an ordered list of `[action, ...args]` tuples.
+5. If no tool calls are found, the loop ends.
+6. For each tool call, `permissionManager.askPermission(type, description)` prompts the user (yes / yes-always / no).
+7. Approved shell calls go to `agentExecShell`; all other calls go to `agentExecFile`.
+8. Results (or denial messages) are concatenated and pushed to `messages` as a `user` turn: `"Tool execution results:\n\n…\n\nContinue with the task."`.
+9. If any call was denied, a warning is printed and the loop continues with partial results.
+10. Go to step 2.
+
+---
+
+## Tool Tags
+
+All tags are parsed by `extractToolCalls` in `lib/tools.js` and displayed by `StreamRenderer` in `lib/ui.js`.
+
+| Tag | Syntax | Action dispatched |
+|-----|--------|-------------------|
+| `exec` | `<exec>command</exec>` | `shell` |
+| `shell` | `<shell>command</shell>` | `shell` (alias) |
+| `run_command` | `<run_command>command</run_command>` | `shell` (alias) |
+| `run` | `<run>command</run>` | `shell` (alias) |
+| Fenced shell block | ` ```shell\ncommand\n``` ` | `shell` (one call per non-comment line) |
+| `read_file` (content) | `<read_file>/path</read_file>` | `read` |
+| `read_file` (attribute) | `<read_file path="/path"/>` | `read` |
+| `write_file` | `<write_file path="/path">content</write_file>` | `write` |
+| `append_file` | `<append_file path="/path">content</append_file>` | `append` |
+| `list_dir` | `<list_dir>/path</list_dir>` | `list_dir` |
+| `search_files` | `<search_files>pattern</search_files>` | `search_files` |
+| `delete_file` | `<delete_file>/path</delete_file>` | `delete_file` |
+| `make_dir` | `<make_dir>/path</make_dir>` | `make_dir` |
+| `remove_dir` | `<remove_dir>/path</remove_dir>` | `remove_dir` |
+| `get_env` | `<get_env>VAR_NAME</get_env>` | `get_env` |
+| `set_env` | `<set_env name="VAR" value="val"/>` | `set_env` |
+| `move_file` | `<move_file src="/src" dst="/dst"/>` | `move_file` |
+| `copy_file` | `<copy_file src="/src" dst="/dst"/>` | `copy_file` |
+| `edit_file` | `<edit_file path="/path" line="N">new line content</edit_file>` | `edit_file` |
+| `search_in_file` | `<search_in_file path="/path">regex</search_in_file>` | `search_in_file` |
+| `replace_in_file` | `<replace_in_file path="/path" search="old" replace="new"></replace_in_file>` | `replace_in_file` |
+| `download` | `<download>https://url</download>` | `download` |
+| `upload` | `<upload path="/path">base64content</upload>` | `upload` |
+
+---
+
+## DEFAULT_CONFIG Keys
+
+Defined in `lib/constants.js` and merged/validated by `lib/config.js`.
+
+| Key | Default | Description |
+|-----|---------|-------------|
+| `api_base` | `"http://127.0.0.1:8800"` | OpenAI-compatible inference base URL (normalized to include `/v1`) |
+| `api_key` | `"any"` | API key sent as `Authorization: Bearer` to the inference endpoint |
+| `dashboard_url` | `"https://cli.semalt.ai"` | Base URL for the web dashboard (auth, models, chat history) |
+| `auth_token` | `""` | Bearer token written by `semalt login`, cleared by `logout` |
+| `default_model` | `"default"` | Model identifier sent in chat completions payloads |
+| `dashboard_model_id` | `null` | Integer PK of the active model in `available_models`; required for chat history sync |
+| `temperature` | `0.7` | Sampling temperature passed to the LLM |
+| `request_timeout_ms` | `900000` | HTTP request timeout for inference calls (ms) |
+| `stream` | `true` | Whether to use streaming (`text/event-stream`) for inference |
+| `models` | `[]` | Local model profile overrides (each: `api_base`, `api_key`, `model`) |
+| `theme` | `"dark"` | Terminal color theme |
+| `max_file_size_kb` | `512` | Maximum file size the agent will read (KB) |
+| `command_timeout_ms` | `30000` | Timeout for shell command execution (ms) |
+| `max_output_lines` | `50` | Maximum lines of tool output shown before truncation |
+| `show_token_count` | `true` | Display token usage in the status line after each turn |
+| `show_cost` | `false` | Display estimated cost alongside token count |
+
+---
+
+## Planned Additions
+
+| File | Intended Responsibility |
+|------|------------------------|
+| `lib/audit.js` | Persistent log of all tool calls executed per session (command, args, exit code, timestamp); used for replay and compliance review |
+| `lib/storage.js` | Local SQLite or JSON-lines store for offline chat history, message deduplication, and cache of dashboard responses |
+| `lib/metrics.js` | Collects per-session telemetry (token counts, latency, tool-call frequency) and exposes summary output for `/compact` and future analytics export |

package/CLAUDE.md

@@ -0,0 +1,349 @@
+# semalt-code — CLI Agent
+
+Node.js CLI tool that lets AI agents interact with code via an iterative tool-use loop. Zero external dependencies; uses only Node.js built-ins.
+
+Published as `@semalt-ai/code`. Invokable as `semalt-code` or `semalt`.
+
+---
+
+## Directory Layout
+
+```
+semalt-code/
+├── index.js           # Entry point: arg parsing, module wiring, command dispatch
+├── lib/
+│   ├── api.js         # HTTP client for dashboard auth + OpenAI-compatible inference
+│   ├── agent.js       # Agent loop: stream → extract tools → execute → repeat
+│   ├── commands.js    # All CLI command handlers (chat, code, edit, shell, login, …)
+│   ├── tools.js       # File and shell operation implementations
+│   ├── prompts.js     # System prompt for the LLM (tells it to use exec/read/write tags)
+│   ├── ui.js          # Barrel: re-exports everything from lib/ui/
+│   ├── ui/
+│   │   ├── ansi.js        # ANSI escape constants, THEME, color codes, SPINNER_DEFS
+│   │   ├── utils.js       # getCols, getRows, stripAnsi, hr, boxLine, insertCharAt, …
+│   │   ├── diff.js        # renderDiff (LCS diff), renderMarkdown, _mdInline
+│   │   ├── stream.js      # StreamRenderer — live token-by-token terminal output
+│   │   ├── legacy.js      # StatusBar (cmdCode/cmdEdit), interactiveSelect, SelectMenu
+│   │   ├── layout.js      # LayoutManager — terminal geometry, resize events
+│   │   ├── chat-history.js# ChatHistory — bubble rendering, scroll, streaming slots
+│   │   ├── status-bar.js  # FullStatusBar — animated TUI status line
+│   │   ├── input-field.js # InputField, parseKeySequence, SLASH_CMDS
+│   │   └── create-ui.js   # createUI factory + non-TTY no-op fallback
+│   ├── context.js     # Loads file/directory content into the prompt
+│   ├── config.js      # Read/write ~/.semalt-ai/config.json
+│   ├── permissions.js # Per-session approval tracking for tool calls
+│   ├── args.js        # CLI argument parser
+│   ├── constants.js   # CONFIG_PATH, DEFAULT_CONFIG, DEFAULT_API_TIMEOUT_MS
+│   ├── audit.js       # Append-only audit log for all tool executions
+│   ├── storage.js     # Local session persistence and resume
+│   └── metrics.js     # Token counting, cost estimation, latency tracking
+├── package.json       # name: @semalt-ai/code, version: 1.8.0, bin: semalt / semalt-code
+└── README.md
+```
+
+---
+
+## Tech Stack
+
+| Component | Technology |
+|-----------|-----------|
+| Runtime | Node.js ≥ 16, CommonJS (`require`) |
+| HTTP | Built-in `http`/`https` modules |
+| Shell exec | `child_process.spawnSync` |
+| File I/O | `fs` module |
+| Terminal UI | Raw ANSI escape codes (no chalk, no readline wrappers) |
+| Config | JSON at `~/.semalt-ai/config.json` |
+| LLM protocol | OpenAI-compatible streaming (`text/event-stream`) |
+
+---
+
+## CLI Commands
+
+```
+semalt-code                            # interactive chat (default)
+semalt-code chat                       # interactive chat (explicit)
+semalt-code code <prompt>              # one-shot task with optional file context
+semalt-code edit <file> <instruction>  # targeted file edit
+semalt-code shell <command>            # run shell, optionally ask LLM to analyze output
+semalt-code login                      # browser-based device auth against dashboard
+semalt-code logout                     # clear stored auth_token
+semalt-code whoami                     # show authenticated user
+semalt-code models                     # interactive model selector (fetches from dashboard)
+semalt-code init [options]             # create/update ~/.semalt-ai/config.json
+semalt-code audit                      # print last 50 audit log entries
+semalt-code config [set <key> <val>]   # show or update config keys
+```
+
+### Common Flags
+
+```
+-m, --model <name>        override model for this invocation
+-r, --resume <chat-id>    resume a dashboard chat by ID
+-f, --file <path>         load file or directory as context
+-a, --analyze             have LLM analyze shell output (used with `shell`)
+--dry-run                 preview file edits without writing
+--api-base <url>          LLM API base URL (overrides config)
+--api-key <key>           API key (overrides config)
+--dashboard-url <url>     dashboard base URL (overrides config)
+--default-model <name>    set default model in config
+--show-think              display model reasoning (thinking) content
+--debug                   print raw AI response (stderr) each iteration
+--allow-fs                auto-approve all filesystem operations
+--allow-exec              auto-approve shell command execution
+--allow-net               auto-approve network operations
+--allow-all               auto-approve everything (use carefully)
+--readonly                block all write operations
+--new                     skip session resume prompt
+-v, --version             print version
+-h, --help                print help
+```
+
+### In-Chat Slash Commands
+
+| Command | Effect |
+|---------|--------|
+| `/help` | List slash commands |
+| `/file <path>` | Attach file or directory to context |
+| `/history` | Browse and load a local saved session |
+| `/chats` | Browse and resume a saved chat from the dashboard |
+| `/new` | Start a fresh conversation (detach from current saved chat) |
+| `/model [name]` | Show or switch model |
+| `/models` | Interactive model picker from dashboard |
+| `/shell <cmd>` or `!<cmd>` | Execute shell command |
+| `/compact` | Show token usage estimate and session metrics |
+| `/clear` | Reset conversation history |
+| `/approve` | Toggle auto-approval of tool calls |
+| `/config` | Print current config |
+| `/login` | Start device auth flow |
+| `/whoami` | Show current user |
+| `/logout` | Clear auth token |
+| `exit` / `quit` | Exit |
+
+---
+
+## Agent Loop (`lib/agent.js`)
+
+Maximum 10 iterations per user turn.
+
+```
+1. Send messages[] to LLM via chatStream()
+2. Stream response tokens to terminal (StreamRenderer)
+3. After full response: extract tool-call tags from text
+4. If no tool tags → done
+5. For each tag: request user permission (once / always / no)
+6. Execute approved operations via ToolExecutor (wrapped in try/catch)
+7. Append tool results to messages[]
+8. Goto 1
+```
+
+Each tool dispatch is wrapped in try/catch; errors print a warning and continue to the next tag rather than aborting the loop.
+
+### Tool Tags (parsed from LLM text)
+
+```xml
+<exec>shell command here</exec>
+<shell>shell command here</shell>
+<read_file>/absolute/or/relative/path</read_file>
+<read_file path="/path/to/file"/>
+<write_file path="/path/to/file">file content here</write_file>
+<create_file path="/path/to/file">file content here</create_file>
+<append_file path="/path/to/file">content to append</append_file>
+<list_dir>/path/to/dir</list_dir>
+<search_files pattern="*.ts" dir="src"/>
+<delete_file>/path/to/file</delete_file>
+<make_dir>/path/to/dir</make_dir>
+<remove_dir>/path/to/dir</remove_dir>
+<get_env>ENV_VAR_NAME</get_env>
+<set_env name="VAR" value="value"/>
+<move_file src="/old/path" dst="/new/path"/>
+<copy_file src="/src/path" dst="/dst/path"/>
+<edit_file path="/file" line="42">replacement line content</edit_file>
+<search_in_file path="/file">regex pattern</search_in_file>
+<replace_in_file path="/file" search="old" replace="new"></replace_in_file>
+<download>https://example.com/file.zip</download>
+<upload path="/local/path">base64encodedcontent</upload>
+<file_stat>/path/to/file</file_stat>
+<http_get url="https://example.com/api"/>
+<ask_user question="What is your preferred language?"/>
+<store_memory key="project_lang">TypeScript</store_memory>
+<recall_memory key="project_lang"/>
+<list_memories/>
+<system_info/>
+```
+
+The system prompt (`lib/prompts.js`) instructs the LLM to use exactly these tags. Do not change tag names without updating both `prompts.js` and the parser in `agent.js`.
+
+---
+
+## Tool Operations (`lib/tools.js`)
+
+All operations request permission before execution unless auto-approved.
+Output truncated to `config.max_output_lines` (default 20) to avoid filling context.
+
+| Action | Description |
+|--------|-------------|
+| `read` | Read file content |
+| `write` | Write file (creates parent dirs) |
+| `append` | Append to file |
+| `list_dir` | List directory contents |
+| `delete_file` | Delete file |
+| `make_dir` | Create directory (recursive) |
+| `remove_dir` | Remove directory (recursive) |
+| `move_file` | Move/rename file |
+| `copy_file` | Copy file |
+| `search_files` | Find files matching glob pattern |
+| `search_in_file` | Regex search within file |
+| `replace_in_file` | Replace text in file (regex, optional flags) |
+| `edit_file` | Replace a specific line number in a file |
+| `get_env` / `set_env` | Read/write environment variables |
+| `download` | HTTP GET → save to file |
+| `upload` | Write base64-encoded content to file |
+| `file_stat` | Stat a file (size, mtime, type, mode) |
+| `http_get` | HTTP GET → return body (truncated to max_output_lines) |
+| `ask_user` | Prompt user for input; auto-answers 'y' in non-TTY mode |
+| `store_memory` | Persist a key/value pair to `~/.semalt-ai/memory.json` |
+| `recall_memory` | Read a key from `~/.semalt-ai/memory.json` |
+| `list_memories` | List all stored memory keys |
+| `system_info` | Return platform, arch, hostname, memory, Node version, cwd |
+
+---
+
+## Audit Log (`lib/audit.js`)
+
+Every tool execution is appended to `~/.semalt-ai/audit.log` as NDJSON:
+```json
+{"ts":"2026-01-01T00:00:00.000Z","tag":"exec","input":"{\"command\":\"ls\"}","approved":true,"result":"ok"}
+```
+
+View the last 50 entries with `semalt-code audit`.
+
+---
+
+## Session Storage (`lib/storage.js`)
+
+Local chat sessions are saved to `~/.semalt-ai/sessions/` as JSON files named `<timestamp>-<id>.json`. The `chat` command offers to resume the most recent session (< 24 h old) on startup unless `--new` or `--resume` is passed. Use `/history` in-chat to browse and load any saved session.
+
+---
+
+## Metrics (`lib/metrics.js`)
+
+`Metrics` is instantiated per `runAgentLoop` call and tracks per-turn token usage, latency, and total session duration. A summary box is printed on exit (SIGINT or natural quit) and after `cmdCode` runs. Use `/compact` in-chat to see the live summary.
+
+---
+
+## API Client (`lib/api.js`)
+
+Handles two distinct concerns:
+
+**Inference** (OpenAI-compatible):
+- `chatStream(messages, model, opts)` → streams tokens, calls `onToken`, returns `{ content, usage }`
+- URL: `config.api_base` normalized to include `/v1` if missing
+- Supports `reasoning_content` field for extended-thinking models
+
+**Dashboard** (cli.semalt.ai backend):
+- `requestCliLogin()` → `POST /api/auth/cli/request`
+- `getCliLoginStatus(id, token)` → `POST /api/auth/cli/status`
+- `dashboardWhoAmI()` → `GET /api/auth/me`
+- `dashboardLogout()` → `POST /api/auth/logout`
+- `dashboardListModels()` → `GET /api/models`
+- `dashboardGetModelForCli(id)` → `GET /api/models/{id}/cli`
+- `dashboardCreateChat(title, modelDbId)` → `POST /api/chats`
+- `dashboardListChats()` → `GET /api/chats`
+- `dashboardGetChat(id)` → `GET /api/chats/{id}`
+- `dashboardSaveMessages(chatId, messages)` → `POST /api/chats/{id}/messages/batch`
+
+All dashboard calls send `Authorization: Bearer <auth_token>` from config.
+
+---
+
+## Config File (`~/.semalt-ai/config.json`)
+
+Managed by `lib/config.js`. Normalized on every load. The config directory is created automatically if it does not exist.
+
+```json
+{
+  "api_base":            "http://127.0.0.1:8800",
+  "api_key":             "any",
+  "dashboard_url":       "https://cli.semalt.ai",
+  "auth_token":          "",
+  "default_model":       "default",
+  "dashboard_model_id":  null,
+  "temperature":         0.7,
+  "request_timeout_ms":  900000,
+  "stream":              true,
+  "theme":               "dark",
+  "max_file_size_kb":    512,
+  "command_timeout_ms":  30000,
+  "max_output_lines":    50,
+  "show_token_count":    true,
+  "show_cost":           false,
+  "context_length":      null,
+  "models": [
+    {
+      "name":           "local-llama",
+      "api_base":       "http://127.0.0.1:11434",
+      "api_key":        "any",
+      "model":          "llama3",
+      "context_length": 8192
+    }
+  ]
+}
+```
+
+- `api_base` is normalized to always include `/v1`.
+- Legacy key `semalt_base_url` is migrated to `api_base` on load.
+- `auth_token` is written by `semalt-code login` and cleared by `logout`.
+- `dashboard_model_id` is the integer PK of the active model in `available_models`; written when a model is selected via `/models`. Required for chat history sync — if null, history sync is silently skipped.
+- `max_file_size_kb` caps how large a file may be before read is refused (default 512 KB).
+- `command_timeout_ms` caps shell command execution time (default 30 s).
+- `max_output_lines` caps shell and HTTP response lines returned to the agent (default 50).
+- `show_token_count` controls whether token count is shown in the status bar.
+- `show_cost` reserved for future cost-display feature.
+- `context_length` / `models[].context_length` — token limit used for context-usage bar and warnings.
+- Local `models[]` entries override dashboard models when selected.
+
+---
+
+## Key Patterns & Invariants
+
+- **No dependencies**: keep it that way. Any new feature must use Node.js built-ins only.
+- **CommonJS**: all files use `require()`/`module.exports`. Do not use ES `import`/`export`.
+- **Streaming**: `api.js` manually parses `text/event-stream`. The parser in `chatStream()` handles partial JSON lines — be careful editing it.
+- **Permissions are per-session**: `PermissionManager` resets on each CLI invocation. Approvals never persist to disk. In non-TTY mode all tool calls are auto-approved with a warning.
+- **Token counting is approximate**: `estimateTokens()` divides char count by 4. It is used only for the `/compact` display — do not rely on it for hard limits.
+- **Tool output is truncated**: `tools.js` caps output at `max_output_lines` (default 50). Configurable via config.
+- **Max 10 agent iterations**: hard-coded in `agent.js`. Prevents runaway loops.
+- **Malformed tags are skipped**: each tool dispatch in the agent loop is wrapped in try/catch; errors emit a warning line and continue to the next tool call.
+
+---
+
+## Development & Publishing
+
+```bash
+# Run locally
+node index.js chat
+
+# Symlink for global use during dev
+npm link
+
+# Publish to npm
+npm publish --access public
+```
+
+Version is in `package.json`. Bump it with every published change.
+
+---
+
+## Keeping This File Up-to-Date
+
+Update this file when:
+- A new CLI command or slash command is added (update the commands tables).
+- A new tool action is added to `tools.js` (update the Tool Operations table).
+- The agent loop behavior changes (max iterations, tag format, approval flow).
+- A new `lib/` module is added.
+- The config schema changes (new keys, renamed keys, migration logic).
+- A new dashboard API call is added to `api.js`.
+- The system prompt in `prompts.js` changes in a way that affects tool-tag syntax.
+- The Node.js version requirement changes.
+
+When renaming or removing a tool tag, update **both** `prompts.js` and `agent.js` atomically and note it here.

package/index.js

@@ -1,8 +1,12 @@
 #!/usr/bin/env node
 'use strict';
 
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
 const { PACKAGE_JSON } = require('./lib/constants');
-const { loadConfig, saveConfig } = require('./lib/config');
+const { loadConfig, saveConfig, configSet, configShow } = require('./lib/config');
 const ui = require('./lib/ui');
 const { createPermissionManager } = require('./lib/permissions');
 const { createToolExecutor, extractToolCalls } = require('./lib/tools');
@@ -12,6 +16,7 @@ const { createAgentRunner } = require('./lib/agent');
 const { createCommands } = require('./lib/commands');
 const { parseArgs } = require('./lib/args');
 const { CONFIG_PATH } = require('./lib/constants');
+const { AUDIT_LOG } = require('./lib/audit');
 
 let config = loadConfig();
 
@@ -24,8 +29,20 @@ function setConfig(nextConfig) {
   saveConfig(config);
 }
 
-const permissionManager = createPermissionManager(ui);
-const { agentExecShell, agentExecFile } = createToolExecutor(permissionManager, ui);
+// Pre-scan argv for permission tier flags before creating PermissionManager
+const _argv = process.argv.slice(2);
+const _allowedTiers = [];
+if (_argv.includes('--allow-all')) {
+  _allowedTiers.push('fs', 'exec', 'net', 'sys');
+} else {
+  if (_argv.includes('--allow-fs')) _allowedTiers.push('fs');
+  if (_argv.includes('--allow-exec')) _allowedTiers.push('exec');
+  if (_argv.includes('--allow-net')) _allowedTiers.push('net');
+}
+const _readonly = _argv.includes('--readonly');
+
+const permissionManager = createPermissionManager(ui, { allowedTiers: _allowedTiers, readonly: _readonly });
+const { agentExecShell, agentExecFile } = createToolExecutor(permissionManager, ui, getConfig);
 const apiClient = createApiClient({
   getConfig,
   saveConfig: (nextConfig) => {
@@ -77,12 +94,12 @@ Commands:
   login             Authorize CLI via browser
   whoami            Show current authorized user
   logout            Clear current CLI login
-  models            Choose one of your dashboard models
-  models add        Add a saved model profile
+  models            Choose a model
   init              Initialize config
 
 Options:
   -m, --model <name>      Model name
+  -r, --resume <chat-id>  Resume a saved chat     (chat command)
   -f, --file <path>       Load file into context  (code command)
   -a, --analyze           Analyze output with AI  (shell command)
   --dry-run               Don't save changes      (edit command)
@@ -90,6 +107,14 @@ Options:
   --api-key  <key>        API key                 (init)
   --dashboard-url <url>   Dashboard URL           (init)
   --default-model <name>  Default model           (init)
+  --show-think            Display model reasoning (thinking) content
+  --debug                 Print messages sent to agent + raw AI response (stderr) each iteration
+  --allow-fs              Auto-approve all filesystem operations
+  --allow-exec            Auto-approve shell command execution
+  --allow-net             Auto-approve network operations
+  --allow-all             Auto-approve everything (use carefully)
+  --readonly              Block all write operations
+  --new                   Skip session resume prompt
   -v, --version           Show CLI version
 
 Config: ${CONFIG_PATH}
@@ -121,11 +146,48 @@ Config: ${CONFIG_PATH}
   } else if (command === 'logout') {
     await commands.cmdLogout();
   } else if (command === 'models') {
-    if (rawArgs[1] === 'add') await commands.cmdModelsAdd();
-    else await commands.cmdModels();
+    await commands.cmdModels();
   } else if (command === 'init') {
     const { opts } = parseArgs(rawArgs.slice(1));
     commands.cmdInit(opts);
+  } else if (command === 'audit') {
+    try {
+      const content = fs.readFileSync(AUDIT_LOG, 'utf8');
+      const lines = content.trim().split('\n').filter((l) => l.trim());
+      const last50 = lines.slice(-50);
+      for (const line of last50) {
+        try {
+          const entry = JSON.parse(line);
+          const icon = entry.approved ? `${ui.FG_GREEN}✓${ui.RST}` : `${ui.FG_RED}✗${ui.RST}`;
+          console.log(`${icon} ${line}`);
+        } catch {
+          console.log(line);
+        }
+      }
+    } catch {
+      console.log('No audit log found.');
+    }
+  } else if (command === 'config') {
+    const sub = rawArgs[1];
+    if (sub === 'set') {
+      const key = rawArgs[2];
+      const value = rawArgs[3];
+      if (!key || value === undefined) {
+        process.stderr.write(`Usage: semalt-code config set <key> <value>\n`);
+        process.exit(1);
+      }
+      let parsed;
+      try {
+        parsed = JSON.parse(value);
+      } catch {
+        parsed = value;
+      }
+      configSet(key, parsed);
+      console.log(`Set ${key} = ${JSON.stringify(parsed)}`);
+    } else {
+      // default: "show" or bare "config"
+      console.log(configShow());
+    }
   } else {
     const { opts } = parseArgs(rawArgs);
     await commands.cmdChat(opts);